Windows Analysis Report JXblq0dqPN.exe

Overview

General Information

Sample Name: JXblq0dqPN.exe
Analysis ID: 458740
MD5: 8718d75b7cac53f13d01ddea9b52cee0
SHA1: 2a37a01df74c887bb52eb2762d7d6ae0bd5e6b0b
SHA256: 6f40242247db00eea1922d0c2a38337ddea49d9da02693679d2e4bfb19e6c088
Tags: exeGuLoader
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score: 88
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Found potential dummy code loops (likely to delay analysis)
Machine Learning detection for sample
Tries to detect virtualization through RDTSC time measurements
Abnormal high CPU Usage
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to read the PEB
Detected potential crypto function
PE file contains strange resources
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000001.00000002.734564394.0000000002BA0000.00000040.00000001.sdmp Malware Configuration Extractor: GuLoader {"Payload URL": "http://101.99.94.119/WEALTH_fkWglQyCXO188.bin"}
Multi AV Scanner detection for submitted file
Source: JXblq0dqPN.exe Virustotal: Detection: 35% Perma Link
Source: JXblq0dqPN.exe ReversingLabs: Detection: 17%
Machine Learning detection for sample
Source: JXblq0dqPN.exe Joe Sandbox ML: detected

Compliance:

barindex
Uses 32bit PE files
Source: JXblq0dqPN.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://101.99.94.119/WEALTH_fkWglQyCXO188.bin

System Summary:

barindex
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Process Stats: CPU usage > 98%
Contains functionality to call native functions
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_02BA58C6 NtAllocateVirtualMemory, 1_2_02BA58C6
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_02BA58B5 NtAllocateVirtualMemory, 1_2_02BA58B5
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_02BA5983 NtAllocateVirtualMemory, 1_2_02BA5983
Detected potential crypto function
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_02BA58C6 1_2_02BA58C6
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_02BA26BA 1_2_02BA26BA
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_02BA42BF 1_2_02BA42BF
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_02BA46B5 1_2_02BA46B5
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_02BA58B5 1_2_02BA58B5
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_02BA7E98 1_2_02BA7E98
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_02BA80FC 1_2_02BA80FC
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_02BA20EC 1_2_02BA20EC
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_02BA24E2 1_2_02BA24E2
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_02BA28E2 1_2_02BA28E2
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_02BA5CD0 1_2_02BA5CD0
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_02BA483C 1_2_02BA483C
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_02BA1C35 1_2_02BA1C35
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_02BA0223 1_2_02BA0223
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_02BA7012 1_2_02BA7012
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_02BA4214 1_2_02BA4214
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_02BA4A0A 1_2_02BA4A0A
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_02BA6475 1_2_02BA6475
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_02BA4C62 1_2_02BA4C62
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_02BA885F 1_2_02BA885F
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_02BA0641 1_2_02BA0641
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_02BA0647 1_2_02BA0647
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_02BA7FAE 1_2_02BA7FAE
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_02BA3FA3 1_2_02BA3FA3
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_02BA218A 1_2_02BA218A
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_02BA5D82 1_2_02BA5D82
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_02BA1784 1_2_02BA1784
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_02BA85F4 1_2_02BA85F4
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_02BA4BEB 1_2_02BA4BEB
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_02BA7BEC 1_2_02BA7BEC
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_02BA13C7 1_2_02BA13C7
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_02BA4BC5 1_2_02BA4BC5
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_02BA473E 1_2_02BA473E
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_02BA2D2C 1_2_02BA2D2C
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_02BA951E 1_2_02BA951E
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_02BA0708 1_2_02BA0708
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_02BA950D 1_2_02BA950D
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_02BA2F7B 1_2_02BA2F7B
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_02BA7776 1_2_02BA7776
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_02BA3D6D 1_2_02BA3D6D
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_02BA8764 1_2_02BA8764
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_02BA0557 1_2_02BA0557
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_02BA2F54 1_2_02BA2F54
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_02BA3147 1_2_02BA3147
PE file contains strange resources
Source: JXblq0dqPN.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: JXblq0dqPN.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: JXblq0dqPN.exe, 00000001.00000002.732873822.00000000021E0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameuser32j% vs JXblq0dqPN.exe
Source: JXblq0dqPN.exe, 00000001.00000002.730732122.0000000000417000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameUBESKADIGEDES.exe vs JXblq0dqPN.exe
Source: JXblq0dqPN.exe Binary or memory string: OriginalFilenameUBESKADIGEDES.exe vs JXblq0dqPN.exe
Uses 32bit PE files
Source: JXblq0dqPN.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: classification engine Classification label: mal88.troj.evad.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\JXblq0dqPN.exe File created: C:\Users\user\AppData\Local\Temp\~DFB54DFFF23F1C40FA.TMP Jump to behavior
Source: JXblq0dqPN.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: JXblq0dqPN.exe Virustotal: Detection: 35%
Source: JXblq0dqPN.exe ReversingLabs: Detection: 17%

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: 00000001.00000002.734564394.0000000002BA0000.00000040.00000001.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_00401367 pushfd ; iretd 1_2_0040136A
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_00403268 pushfd ; iretd 1_2_0040326E
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_02BAA0E4 push FFFFFFD2h; iretd 1_2_02BAA0E9
Source: initial sample Static PE information: section name: .text entropy: 7.08584386702
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_02BA42BF 1_2_02BA42BF
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_02BA46B5 1_2_02BA46B5
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_02BA483C 1_2_02BA483C
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_02BA1C35 1_2_02BA1C35
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_02BA7012 1_2_02BA7012
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_02BA6183 1_2_02BA6183
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_02BA85F4 1_2_02BA85F4
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_02BA473E 1_2_02BA473E
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Source: C:\Users\user\Desktop\JXblq0dqPN.exe RDTSC instruction interceptor: First address: 0000000002BA7485 second address: 0000000002BA7485 instructions:
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\JXblq0dqPN.exe RDTSC instruction interceptor: First address: 0000000002BA7485 second address: 0000000002BA7485 instructions:
Source: C:\Users\user\Desktop\JXblq0dqPN.exe RDTSC instruction interceptor: First address: 0000000002BA98AE second address: 0000000002BA9A11 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 pop eax 0x00000004 call 00007FD99CC64BD8h 0x00000009 mov bl, byte ptr [eax] 0x0000000b test ebx, eax 0x0000000d mov byte ptr [ebp+000001EFh], FFFFFFCFh 0x00000014 xor byte ptr [ebp+000001EFh], 00000064h 0x0000001b xor byte ptr [ebp+000001EFh], 00000049h 0x00000022 sub byte ptr [ebp+000001EFh], 00000016h 0x00000029 cmp bl, byte ptr [ebp+000001EFh] 0x0000002f je 00007FD99CC64B6Bh 0x00000031 mov bx, word ptr [eax] 0x00000034 cmp eax, edx 0x00000036 test edi, 0B419DFAh 0x0000003c mov word ptr [ebp+00000218h], si 0x00000043 mov si, 2562h 0x00000047 jmp 00007FD99CC64C85h 0x0000004c pushad 0x0000004d lfence 0x00000050 rdtsc
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_02BA42BF rdtsc 1_2_02BA42BF
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Anti Debugging:

barindex
Found potential dummy code loops (likely to delay analysis)
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Process Stats: CPU usage > 90% for more than 60s
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_02BA42BF rdtsc 1_2_02BA42BF
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_02BA54A8 mov eax, dword ptr fs:[00000030h] 1_2_02BA54A8
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_02BA7879 mov eax, dword ptr fs:[00000030h] 1_2_02BA7879
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_02BA7874 mov eax, dword ptr fs:[00000030h] 1_2_02BA7874
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_02BA85F4 mov eax, dword ptr fs:[00000030h] 1_2_02BA85F4
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_02BA2D2C mov eax, dword ptr fs:[00000030h] 1_2_02BA2D2C
Source: C:\Users\user\Desktop\JXblq0dqPN.exe Code function: 1_2_02BA7377 mov eax, dword ptr fs:[00000030h] 1_2_02BA7377
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: JXblq0dqPN.exe, 00000001.00000002.732335333.0000000000D80000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: JXblq0dqPN.exe, 00000001.00000002.732335333.0000000000D80000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: JXblq0dqPN.exe, 00000001.00000002.732335333.0000000000D80000.00000002.00000001.sdmp Binary or memory string: Progman
Source: JXblq0dqPN.exe, 00000001.00000002.732335333.0000000000D80000.00000002.00000001.sdmp Binary or memory string: Progmanlock
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 458740 Sample: JXblq0dqPN.exe Startdate: 03/08/2021 Architecture: WINDOWS Score: 88 8 Found malware configuration 2->8 10 Multi AV Scanner detection for submitted file 2->10 12 Yara detected GuLoader 2->12 14 2 other signatures 2->14 5 JXblq0dqPN.exe 1 2->5         started        process3 signatures4 16 Contains functionality to detect hardware virtualization (CPUID execution measurement) 5->16 18 Detected RDTSC dummy instruction sequence (likely for instruction hammering) 5->18 20 Found potential dummy code loops (likely to delay analysis) 5->20 22 Tries to detect virtualization through RDTSC time measurements 5->22
No contacted IP infos

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://101.99.94.119/WEALTH_fkWglQyCXO188.bin true
  • 1%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown